I've just started in a new company, and have been going over the setup of their Apache webserver conf files... only to find that they've had their apache servers set up as open proxies available to all the world for the last two months. I've already set ProxyRequests Off in the httpd.conf file and restarted the web server, but the access log file is still growing at a horrendous rate (about a gig a day). I noticed that another question was posted on here about this (http://serverfault.com/questions/63715/apache-hit-with-proxy-request), but their access log was supposedly returning 404 errors, while mine appears to be returning 403 and 404 codes... Is this correct?

Does this in fact look like the server is blocking them correctly, and is there anything else that I could do better to cut down on my access log size? (perhaps block these requests from the server completely?)

Thanks!
Matt

UPDATE:

These are the successful proxies... But I haven't enabled ProxyRequests!! (It didn't even show up in my httpd.conf file (defaulting to no) but have since added ProxyRequests Off as the 4th line in my httpd.conf file).

3 Answers
3

You're returning 404 and 403 (both denies of various types), so I wouldn't worry about it. I'm guessing that you have an overly-optimistic vhost on there that is catching all of that traffic and trying to do something with it.

Just start to worry if you return 2xx on any of those without being able to explain it :)

Can you dump your config (anonymized) to here or pastebin or something? Alternately, go comment out the "LoadModule proxy" sections of your httpd.conf and restart apache. If it complains about anywhere, then go find those parts of your config and fix them.
–
Bill WeissJun 3 '10 at 18:10

Wait. All of those are coming back with the same number of bytes returned. Try doing one of those connects manually and see what you get back.
–
Bill WeissJun 3 '10 at 18:13

My suspicion is that you've got something that's returning a default page for any strange request, and that that page is 6103 bytes.
–
Bill WeissJun 3 '10 at 18:13

You are 100% correct Bill. Thank you so much for helping me figure that one out. I really appreciate it!
–
MattJun 3 '10 at 19:47

You can control who can access your proxy via the <Proxy> control block as in the following example:
<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>
For more information on access control directives, see mod_authz_host.
Strictly limiting access is essential if you are using a forward proxy (using the ProxyRequests directive). Otherwise, your server can be used by any client to access arbitrary hosts while hiding his or her true identity. This is dangerous both for your network and for the Internet at large. When using a reverse proxy (using the ProxyPass directive with ProxyRequests Off), access control is less critical because clients can only contact the hosts that you have specifically configured.

I believe this will result in "403 Forbidden` responses to the client, which is a bit less secure then a "404 Not Found" because a "403 Forbidden" provides a hint that something is still there, but is forbidden.

You still get 403 codes when stuff doesn't exist, but you don't have permission to know if it's there or not.
–
Chris S♦May 28 '10 at 17:17

If a file/directory exists, but is denied using Deny from all, you'll get a '403 Forbidden'. If the directory does NOT exist, you'll get a '404 Not Found'.
–
Stefan LasiewskiMay 28 '10 at 18:44

try this: make a directory like /secret then a subdirectory /secret/too and set deny from all on the secret directory. If you try to browse /secret/too or /secret/again both will return 403 Forbidden, even though the again directory doesn't exist. Hence you don't have permission to know if it exists or not will cause a 403.
–
Chris S♦Jun 3 '10 at 18:31